Lessons from the SingPass scare

The personal data of some 1,500 residents here may have been accessed illegitimately through the SingPass system. -- ST PHOTO: LIM YAOHUI FOR THE STRAITS TIMES

By Victor Keong For The Straits Times

There is nothing like a good scare to make people sit up and pay attention to the issues that we would normally brush aside and think, "this happens to other people, not to me". The eBay password hack last month and the scare over the possible compromise of SingPass IDs and passwords earlier this month have shown that when personal - and potentially valuable - information is at risk, security is taken far more seriously.

Whether we like it or not, cybercrimes, like the traditional crimes of old, are here to stay. While individuals and organisations may do their best to protect themselves against being targeted, we have to acknowledge that as technological convenience advances, cybercrimes will also evolve in tandem; sometimes even outpacing the protection that has been developed against them.

In fact, some of the most advanced and comprehensive prevention methods are often developed from points learnt in the aftermath of attempted (and successful) cybercrime.

When faced with a cybercrime or potential cyberthreat, the first question is whether the organisation had done enough to prevent it from occurring. This is particularly true for organisations people put their trust in, such as financial institutions and government bodies.

In the wake of the incident involving the SingPass system, media reports have focused on the need for multi-factor authentication.

This is a security process in which the user provides two means of identification. One usually consists of a physical token, while the other is something memorised, such as a password.

But there are in fact other steps that need to be taken in the wake of such an attack.

Once a breach is identified, there are several questions an organisation can ask to determine the type and severity of the breach.

Is there a pattern to the breached accounts? Is there any information in the logs that tells the investigators if the attack was a targeted one, or simply an act of malice to inconvenience the organisation and its end-users?

These questions act as a guide for investigators to understand the nature of the attack.

Other information that investigators seek to gather includes the source of the attack, what method was used, its timing and frequency, and if there is any evidence of "trophies" being flaunted on bragging sites.

It is through this information gathered that defences can be set up to deter the source of the attack, and prevent the cyber criminal from doing further damage.

Password-related cybercrimes are among the most common, and rescues over these crimes likely centre around "actionable intelligence", a term used by experts in the field of cyber security. One example of such actions involves the detection of an offending source that has been logging onto a password-secured website, and is requesting password changes on more than two accounts in quick succession.

This is based on the assumption that a single source (a household in this instance) typically would not require a password reset for more than two people at one time.

Once detected, the affected organisation needs to "suspend" the source and investigate to determine if the password reset requests made are legitimate. By doing this, damage from such attacks can be limited.

Even if the threat is unsuccessful or just imagined, it often helps to put security issues in stark focus.

While the Infocomm Development Authority has confirmed that the SingPass system was not compromised, it has still led to questions about whether such sensitive information is sufficiently well protected.

Perhaps we have sacrificed security for convenience in having such a simple password system for these accounts?

In this era where cybercrimes are getting more intricate and complex, it is crucial that organisations enforce a more complex password system for their end-users, and insist that account holders use a mix of upper/lower case letters with numbers and wildcard characters like "*" and "!".

Strict enforcement of this can reduce the success rate of password-stealing cyber criminals. Recent studies have shown that a six-letter, lower-case password can take as little as 10 minutes for a hacker to break.

A mix of lower and upper case letters, numbers and symbols increases this period to an average of 18 days.

Even a nine-character, all lower-case password containing only letters would on average take four months to crack if intelligently devised. With an appropriate mixture, the time required becomes decades and centuries, not months.

To add another layer of security, public-sector organisations could take a leaf from the book of our local banks and consider two-factor authentication.

This includes a physical token that generates unique number codes upon every activation, or SMS alerts of these unique number codes.

This will further remove the element of predictability, and make it that much more difficult for cyber criminals to figure out the algorithms of the system.

Cybercrimes will only become more sophisticated as technology develops. While technology makes the world more convenient, it also makes it more dangerous.

It is therefore everyone's responsibility, not only that of the organisations with whom we entrust our personal data, to ensure that our information is well protected and, in the event of a breach, that quick and effective solutions are employed, and that we learn from it.

In the case of SingPass, this time the breach may have been contained, but the threat continues to be a real and present danger. If we do not learn from this situation, we may not be as lucky next time.